Cloud contracts – check your SLAs

As the world of cloud computing grows and becomes part of organisational growth strategies, procurement of cloud computing services has also reached front of mind.

Information security is a key pain-point for organisations looking to take up and rapidly consume cloud services, and with good reason. Leading cloud services providers—namely Rackspace, Google Apps and Microsoft Azure have had their fair share of outages in the past 18 months with Amazon EC2 being the latest, an outage that lasted over 45 hours.

Now traditionally, contracts have been the realm of procurement, accounting, legal or sourcing functions. Technologists and, more specifically, information security professionals kept a safe distance from them primarily because they are boring and mind numbing. But with cloud services consumption on the rise and organisations’ data assets and computing capability being rapidly cloud sourced, concern for service levels—data security, data leakage, data access, scalability, and security compliance to policies and standards—have been magnified.

In a previous article called Cloud contracts – the Devil is in the detail, I highlighted examples from published research which suggests that whilst a majority of the concerns regarding service levels, data security, data leakage and availability are similar to traditional outsourcing contracts of the past, there are areas that require consideration and deep thought.

Ensure performance and response time of your cloud service is explicitly documented and includes provision for peak performance where you know that application processing requirements have been above normal.

Ensure for all 3 cloud models: Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS), that the error correction time is documented with response and escalation procedures fully understood and documented.

Ensure infrastructure compliance and security effectiveness measures and reporting parameters are defined and time periods agreed. These should reflect the organisation’s reporting obligations periods and frequency for both internal and external reporting.

Ensure that accountabilities are clearly defined from a data security perspective and where a breach occurs due to the vendor's errors or omissions, they are "responsible for all damage, fines," etc.

Ensure that you document—in exact terms and associated obligation—what will be undertaken in the event of the contracts being terminated, with specified timelines and, where possible, agreed data formats.

So there you have it, a quick list of cloud services SLA considerations. A single article cannot provide coverage of all cloud computing contract issues. As I become aware of additional information I will add to this list. Rest assured your obligations as a security professional have increased since the advent of cloud computing, especially in areas like contracts and SLAs.

Work with your procurement, sourcing and legal contacts to represent the information security interests within contracts to ensure it adequately and appropriately represents the organisation’s confidentiality, integrity and availability requirements.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.